Blue Iris UI3

[wittaj]

The router typically assigns or manages the IP address traffic. A "dumb" switch is no different than simply having more ports on your router - the whole purpose of the switch is to provide additional wired ports.

So your cameras are probably on the same IP addresses range of your other devices and thus the cameras are probably passing through the router (you won't know for sure unless you monitor it). Maybe it is and maybe it isn't. But if you login in the admin screen of the router, you will see the cameras as devices on the router, so the potential is certainly there for it to be passing through it.

But unless you have taken steps to keep them from being able to talk to the outside world, they are either phoning home or open to being hacked. Ironically surveillance cameras are known to be very poor at security. They need to be isolated from the Internet via VLAN or a dual NIC system.

In a dual NIC or VLAN system, the router never sees the camera IP addresses. They do not exist according to the router.

 

[Sparkey]

If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?

 

[rfj]

I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.

 

[Holbs]

I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.

If you are concerned about network security (and it sounds like you need advice pretty badly), might want to dig through existing posts on this site in that regards. Many folks ask those same questions and many folks respond with valued suggestions and opinions. Start searching & researching before you end up on YouTube hacked security cameras
Or start a new topic and see can give you more detailed advice than from this Blue Iris UI3 forum post.

 

[piconut]

If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?

Maybe clear as murky water.

I'm also wanting to try this more secure setup but I have been apprehensive because by BI computer is a headless system in a closet and I access the camera feeds through the UI3 web interface from several computers on my LAN. So if I understand you correctly, I should add a second NIC to the headless BI computer and connect only my POE switch to that second NIC. However, if I want to be able to manage the BI computer I also need to add a second NIC to my main (non BI) computer. Is this correct? I'm also assuming here that both of the second NICs need to be connected to the same POE switch for the cameras. Do I have all this straight so far?

If so, my last question is can I access the UI3 web interface from other computers on my LAN (like a laptop) that does not have a second NIC?

Thanks for your help!

 

[Holbs]

I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

 

[wittaj]

Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.

 

[piconut]

Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.

OK, great. I think I follow that. So the internet side NIC on the BI computer would get it's IP info and subnet from the router via DHCP. Since the second NIC is not connected to a router (only to the POE camera switch), do I set the camera subnet within the NIC IPv4 properties like this:


If so, do I leave the default gateway blank?
How do the cameras get their IP now? Do I set a static IP in each camera's configuration settings?

Thanks again for all of your help.

 

[wittaj]

That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.

 

[piconut]

That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.

I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.

 

[Holbs]

I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.

It's the best cheapest easiest way to secure your camera network so good luck!

 

[wittaj]

Yeah setting the BI computer to a static in the router is fine. Obviously your cameras will not be able to do that after you take them off the router, but it is a simple procedure to assign them a static in the camera GUI and then change the IP address in BI for each camera.

You will probably see some improved performance of your home internet after you take the cameras off of it.

 

[DLONG2]

Yeah setting the BI computer to a static in the router is fine. Obviously your cameras will not be able to do that after you take them off the router, but it is a simple procedure to assign them a static in the camera GUI and then change the IP address in BI for each camera.

You will probably see some improved performance of your home internet after you take the cameras off of it.

Thanks for these tutorials, wittaj. I imagine that as soon as a camera's IP is statically set and changed, then the GUI login fails, and a person would have to log into the camera's new IP.

 

[wittaj]

Thanks for these tutorials, wittaj. I imagine that as soon as a camera's IP is statically set and changed, then the GUI login fails, and a person would have to log into the camera's new IP.

That would be correct!

 

[cam26]

Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.

Hey @wittaj, so my existing setup is basically a tower and monitor in my basement with a POE switch connecting cameras and everything together. My cameras are isolated from the internet by my router- I've got into each one and blocked access to the internet and use a VPN to connect to my BI pc from outside of the house.

Say, for example, that I wanted to move my monitor to a different location in the house but keep the switch, connections, and tower down in the basement, how would I and what would I need to basically view the BI pc from the monitor in a different location- another whole pc that remotes in?

 

[looney2ns]

Hey @wittaj, so my existing setup is basically a tower and monitor in my basement with a POE switch connecting cameras and everything together. My cameras are isolated from the internet by my router- I've got into each one and blocked access to the internet and use a VPN to connect to my BI pc from outside of the house.

Say, for example, that I wanted to move my monitor to a different location in the house but keep the switch, connections, and tower down in the basement, how would I and what would I need to basically view the BI pc from the monitor in a different location- another whole pc that remotes in?

Many threads here how to accomplish this.

 

[cam26]

Many threads here how to accomplish this.

Roger. I'll do some searching.

Disregard, @wittaj.

 

[wittaj]

Another whole PC that remotes in is one way, running an HDMI cable to the new location is another, as is a wireless HDMI transmitter.

But I would vote for doing what most of us do, just RDP or some other remote application directly into it from whatever device you have connected to your LAN.

You can RDP into your BI computer from a tablet for example. It doesn't have to be a PC. I have RDPd into if from my phone before. Kind of a pain without a mouse, but it can be done.

 

[cam26]

Another whole PC that remotes in is one way, running an HDMI cable to the new location is another, as is a wireless HDMI transmitter.

But I would vote for doing what most of us do, just RDP or some other remote application directly into it from whatever device you have connected to your LAN.

You can RDP into your BI computer from a tablet for example. It doesn't have to be a PC. I have RDPd into if from my phone before. Kind of a pain without a mouse, but it can be done.

Awesome. Thank you!

 

[rfj]

<snip>
Say, for example, that I wanted to move my monitor to a different location in the house but keep the switch, connections, and tower down in the basement, how would I and what would I need to basically view the BI pc from the monitor in a different location- another whole pc that remotes in?

I use an HDBase-T device. One is in our "closet" and the other one is in my office. They are connected through an Ethernet cable (needs to be a direct connection, i.e. not through a switch).. On the other side I have my 4k monitor, keyboard, mouse, and USB extension connected. If you want something similar, make sure that you have ports for USB, etc. Also make sure they support the monitor resolution you require.